Full Disclosure mailing list archives
Re: PGP vs. certificate from Verisign
From: Valdis.Kletnieks () vt edu
Date: Fri, 09 May 2003 14:57:44 -0400
On Fri, 09 May 2003 13:22:27 CDT, Kamal Habayeb <mountainfury () hotmail com> said:
I'm trying to get some expert opinions on which is better. Using Outlook 2002, would it be better to use PGP to encrypt messages or use the built-in option with a digital certificate from Verisign (or some other CA)?
Yes. ;) (or more correctly, both are good solutions for different problems). The *real* question is - is the threat model you're protecting against better addressed with a web-of-trust defense or a heirarchical defense? Basically, the PGP model works better if there's reason to believe that most of the verifying will be done between people who know each other, or are likely to have a large set of intermediaries in common ("I don't know who you are, but 5 people I know all say you're Fred, so you probably are..."). The X.509 solution works better if there's little or no chance that the entity you're encrypting from/to is previously known to you. Alternatively, you have to ask the question "Do I trust my friends or Verisign more, to make *SURE* that this entity is who they say they are?" (but make sure to read http://www.cert.org/advisories/CA-2001-04.html and remember that this incident is merely the most visible case of one of the single biggest problems with the whole concept of X.509). (Personally, I use PGP because the whole IETF/NANOG/security community is fairly small and closed (perhaps 10K people, tops?), and PGP is a better fit than X.509, which is which is designed for hundreds of millions of users that you've never heard of before, and will never hear from again). -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
Attachment:
_bin
Description:
Current thread:
- PGP vs. certificate from Verisign Kamal Habayeb (May 09)
- Re: PGP vs. certificate from Verisign Valdis . Kletnieks (May 09)
- Re: PGP vs. certificate from Verisign Shawn McMahon (May 09)
- Re: PGP vs. certificate from Verisign Scott M. Algatt (May 09)
- Re: PGP vs. certificate from Verisign Anne Carasik (May 09)
- Re: PGP vs. certificate from Verisign Georgi Guninski (May 10)
- RE: PGP vs. certificate from Verisign Kamal Habayeb (May 10)
- Re: PGP vs. certificate from Verisign Steve Poirot (May 10)
- Re: PGP vs. certificate from Verisign Derek Atkins (May 10)
- Re: PGP vs. certificate from Verisign Ben Laurie (May 10)
- Re: PGP vs. certificate from Verisign Jason (May 10)
- Re: PGP vs. certificate from Verisign yossarian (May 10)
- Re: PGP vs. certificate from Verisign Valdis . Kletnieks (May 09)